How to Identify and Protect Personal Information

Personal information also referred to as personally identifiable information (PII) and Protected Personal Information (PPI), has a good and bad side for companies. All businesses record the personal information of their clients (names, debit/credit cards, address, etc.) to identify them and execute certain business operations. These business operations may range from meeting payrolls, to filling orders, and advertising. This makes the user and business operations run much faster and smoother.

However, when the personal information of a client isn’t properly secured and falls into the wrong hands, it could lead to a disaster for both the client and company. The information could be used for identity theft, fraud, ransomware, etc. Every organization that handles personal information need to understand regulations that apply to persona information in their custody and what protections are required.

What is personal information?

To start, let’s begin with “What is personal information”? It can simply be answered as “any information that can be used to identify an individual”. What constitutes personal information is defined the various Privacy Acts that govern it – which vary by country, and even state, so it’s important know what regulation(s) apply to your organization.

When something is deemed personal, it means that it should only be able to identify a single person. In some cases, information can actually have more than one subject matter. That is, a piece of information can be about an individual and another thing entirely such as a car, land, etc. So then, what is considered personal information? For information to be considered “personal”, it has to satisfy two criteria:

1. The information must be about a single individual.
2. The identity of the individual in question must be ascertainable from the information.

In addition, for information to be considered personal, it does not necessarily have to be true. The truthfulness of the information doesn’t make it less personal. Not only this, but personal information also doesn’t necessarily need to be written or recorded down like video, audio recordings or photographs. Instead, it can also be communicated in other forms, such as sign language.

Furthermore, information about a deceased person may no longer be considered personal information, depending on the law. The Australian Privacy Act defines personal information as information about a living entity, and not a person who is deceased. However, if information about a deceased person includes the information about a living person, such information could still be considered as personal information.  By contrast, the US HIPAA Privacy rule protects medical information for 50 years after the person’s death.

Additionally, according to the GDPR, religious beliefs, sexuality, health information, and a person’s criminal records is personal information.

In most cases, to access personal information such as a person’s date of birth, home address, contact information, etc. it must be for official purposes only (and only after your consent), as not everyone should be able to access this data.

How Personal Information Is Defined by Data Privacy Laws

There are a wide variety of rules and regulations in different countries as well regions within countries, each with its own definition of personal information, including:

Region	Regulation/Law	“Personal Information is…”
Australia	Australian Privacy Principles (Privacy Act 1988)	Any information that could reasonably identify a living individual.
Canada	Personal Information Protection and Electronic Documents Act (PIPEDA)	Information about an identifiable individual.
European Union	General Data Protection Regulation (GDPR)	…information that leads to the identification of a person, be it name, email address, credit card number, etc.
United States
California	California Consumer Privacy Act	Any information, within reason, that can be linked with a household or a distinguishable person.
	California Online Privacy Protection Act (CalOPPA)	A list of specific data types, such as name, address, email, birthdate, social security number, as well as any identifying contact details or other information that would permit an individual to be contacted physically or online.
	California Privacy Rights Act (CPRA)	Not clearly defined since it is an amendment to CCPA that adds a sensitive information category that includes geolocation, genetic data, religion, philosophy, driver’s license, passport number, financial account numbers, etc.
Colorado	Colorado Privacy Act (CPA)	…any information, within reason, that can be linked with a distinguishable person, with the exception of de-identified data.
Connecticut	Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)	…any information linked or reasonably linkable to an identifiable or identified individual, does not include publicly available or de-identified information.
Virginia	Virginia Consumer Data Protection Act (VCDPA)	…any information that is reasonably linkable or already linked to a natural person.

 

While this is not a complete list of the many definitions of “personal information” it showcases the importance of researching your local privacy laws and the regions your organization does business in to understand what information should be protected using additional security methods.

What is personally identifiable information (PII)?

Personal information and PII are often treated as one and the same, however, there is an important distinction between the two. PII is a subset of personal data that is considered sensitive data; capable of directly identifying an individual on its own or when combined with other information.

PII is a very common definition in the United States and moderately popular in other countries as well. It is the main reason why there are multiple mentions of “identifiable” information in different definitions of personal data in specific U.S. state laws.

What are the types of personal information?

Under the various Privacy Acts, there are several categories of personal information that should not be handled carelessly. Below are the types of the types of personal information generally covered:

1. Private information
2. Sensitive personal data information
3. Health information
4. Tax information
5. Employee information
6. Credit card information
7. ID numbers
8. Online or technical identifiers
9. Encrypted and pseudonymized data
10.  

Private personal information

Private information is simply information that is associated with a person’s or group’s life. They include data, facts and other restricted materials that define a person’s identity and behavior. It may or may not link directly to a person, but it is significant to their identity. Examples of private information include:

• Your phone password
• The pin to your bank ATM
• Voting choice, etc.

Sensitive personal information

Just as the name implies, sensitive personal information is a type of personal information that encompasses deep and delicate information about someone. Unsurprisingly, the level of privacy protection on sensitive data is more than other types of personal information. Examples of sensitive personal information about an individual may include:

• Racial origin
• Political affiliations
• An individual’s criminal records
• Sexual preferences or orientation
• Religious view or practices
• Genetic information
• Health information
• Biometric information such as your fingerprints, electronic signature, etc.

Health information

Health information is another type of personal information and includes individual health disabilities, allergies, injuries and more. Health information can also be considered as sensitive personal information.

Examples of health information include:

1. All types of test results
2. All types of medical reports
3. Medical history
4. Any forms of prescriptions
5. Information about an individual’s choice of organ donation
6. Dental records
7. Information about the genetics of an individual
8. Allergy information, etc.

Tax information

For every taxpayer, there are times where we have little or no choice but to divulge our financial “life” or activities. Tax information can be considered personal information and should only be divulged as required by a relevant agency dealing on your behalf and in your interest. Examples of tax information include tax returns, financial records, pay slips, claims etc.

Payment card information

Payment cards (credit and debit cards)are usually issued out by financial institutions such as banks to their customers for the purpose of transacting.  Credit card information is also personal information, as the information on it is identifiable to a living individual. Fraud and identity theft are the result of credit card data breaches exposing this personal data. Hence, all credit card information should be stored safely. In addition to this, an individual should also check out their card issuer’s privacy policy, in order to know the best ways to opt-out of any potential data sharing.

Examples of information in these credit cards that can be used to identify an individual include:

1. Cardholder name
2. An individuals location or address.
3. Phone number or other communication channels.
4. Primary Account Number (PAN)
5. Service code
6. PIN code
7. CVC2, CVV2, CID
8. Expiration date
9. Biometric information such as fingerprints and electronic signatures, etc.

Employee personal information

For every organization, irrespective of size, their employees’ information must remain protected. As such, this information must not be divulged or leaked to a third-party. The privacy act specifically mandates that information that is identifiable to each and every one of your employees must be handled with care. Examples of such information include:

1. Your employee’s contact information.
2. Their health information
3. Their sexual preferences
4. Religious views
5. Their political affiliation
6. Date of birth

ID numbers

The term “ID numbers” refers specifically to unique identifiers that are assigned to specific individuals by government bodies or organizations. These numbers tend to be extremely sensitive, because they often serve as a direct link to an individual’s information across multiple systems, making it a prime target for identity theft. Examples of such information include:

• Student IDs
• Employee IDs
• Driver’s license numbers
• Insurance policy numbers
• Social Security numbers
• National IDs
• Passport numbers

Online and technical identifiers

Online and technical identifiers are crucial forms of personal information in today’s digital environment. They are typically used to track and identify individual people across different services and platforms. Examples of such information include:

• Device IDs
• RFID tags
• Digital signatures
• IP addresses
• Browser fingerprints
• Email addresses
• MAC addresses
• Cookie identifiers

Encrypted and pseudonymized data

Both encryption and pseudonymization are ways of processing information to make it less directly identifiable. Nevertheless, such information is still considered personal, because it can sometimes be linked back to an individual. Encryption and pseudonymization are strong measures that also require careful handling of encryption keys and algorithms for the information to remain protected. Examples of such information include:

• Coded patient records
• Tokenized payment information
• Encrypted personal records
• Pseudonymized research data
• Anonymized but linkable datasets
• Hashed identifiers

Why personal information needs protection

Protecting personal information can be challenging at times. Here’s why it is important to put in the effort to protecting personal information:

1. To prevent identity theft. When personal information is leaked, the individual’s identity can be stolen
2. To protect financial information. When tax/financial information is leaked out to the wrong hands, especially cybercriminals, they could make unauthorized withdrawals or transfers from the individual’s bank account or file for tax returns on their behalf
3. To protect employment status. Most companies conduct screening for their new or existing recruits. Therefore, if you have incriminating information about yourself leaked online that goes against the company’s policies or requirements, you could lose your job in the process
4. Helps to maintain your business reputation. Data breaches can wreak havoc on a company’s reputation and bottom line from legal fees, fines and remediation steps.

How Businesses Can Protect Personal Information

Businesses are permitted to use and collect personal information in variety of ways for legitimate reasons only. For example, personalizing the user experience, marketing, fraud prevention, product support and user identification. As for the methods used to collect personal information, they include web forms, cookies, and third-party software.

At the same time, it is important to ensure that your business does not collect unnecessary user information. Expressed consent, as many jurisdictions require, is also important, as is documenting the client’s willingness to share information with the software, the business, and other parties.

Best practices for protecting your clients’ personal information include:

• Prioritize privacy. Ensure that customer and employee information is well-protected, and they are aware of their privacy rights.
• Limit data collection to only the information your business needs to function. Not only is it a legal requirement in many regions, but the abundance of sensitive data can burden the data security capabilities of the business.
• Limit data storage. Many data privacy laws limit the storage of information to only so long as it is useful to your business, while also limiting what specific information types you can store.
• Improve security. Considering the increase of data breaches in recent years and the tremendous financial losses a single data breach can cause, maintaining security must be a top priority.
• Control access to sensitive personal information to only those who need it to perform their roles to minimize exposure the possibility of user error.
• Use the FIPPs Principles. The Fair Information Practice Principles (FIPPs) create goals for data usage and privacy, including:
  • Collection Limitation
  • Data Quality
  • Purpose Specification
  • Use Limitation
  • Security Safeguards
  • Openness
  • Individual Participation
  • Accountability
• Encrypt or pseudonymize data to prevent unauthorized users and third-party from accessing it.

How Consumers Can Protect Their Personal Information

In addition to implementing best practices, many laws also require businesses to provide customers with options to protect their personal information.

• The right to object to collecting certain data types is required by many laws, which is why it is important to provide customers with this option to remain compliant.
• Allow customers to set cookie preferences, a requirement under GDPR for companies based in the EI or serve EU customers. You must notify website visitors of cookie usage and allow site users to block, accept, or customize their cookie preferences.
• Encourage website users to read your privacy policies or terms and conditions by linking them to prominent areas of your website, such as landing pages and online forms. Depending on where your customers are located and the laws that apply, you may also need to display options for consent to communicate and process information.

Security tools to protect PII and sensitive information in enterprise systems

Businesses that are unable to maintain the integrity of their clients’ sensitive personal information or PII are subject to significant regulatory penalties and financial losses if the information becomes compromised, leaked, or maliciously accessed. The best way to prevent these outcomes is to implement proactive security tools that monitor and control interactions with sensitive personal data.

NC Protect manages data privacy with dynamic, data-centric policies that secure file access and control how authorized users can share and utilize documents containing PII, while providing a clear audit trail of access and use. It is fully integrated with Microsoft 365 apps including SharePoint® Online, SharePoint Server, Windows File Shares and Nutanix Files.

NC Protect ensures data privacy compliance and information security by continuously validating access requests against regulatory and corporate policies and simultaneously applying apply file level controls to protect against data breaches, unauthorized access and misuse.